Google API Services, including Google Sign-In, are part of an authentication andauthorization framework that gives you, the developer, the ability to connectdirectly with Google users when you would like to request access to Google userdata. The policy below, as well as theGoogle APIs Terms of Service,govern the use of Google API Services when you request access to Google userdata. Please check back from time to time as these policies are occasionallyupdated.

Accurately represent your identity and intent

If you wish to access Google user data you must provide Google users and Googlewith clear and accurate information regarding your use of Google API Services.This includes, without limitation, requirements to accurately represent:

• Who is requesting Google user data? All permission requests mustaccurately represent the identity of the application that seeks access to userdata. If you have obtained authorized client credentials to access Google APIServices, keep these credentials confidential.
• What data are you requesting? You must provide clear and accurateinformation explaining the types of data being requested. In addition, if youplan to access or use a type of user data that was not originally disclosed inyour privacy policy (or in-product disclosures) when a Google user initiallyauthorized access, you must update your privacy policy and prompt the user toconsent to any changes before you may access that data.
• Why are you requesting Google user data? Be honest and transparent withusers when you explain the purpose for which your application requests userdata. If your application requests data for one reason but the data will alsobe utilized for a secondary purpose, you must notify Google users of both usecases. As a general matter, users should be able to readily understand thevalue of providing the data that your application requests, as well as theconsequences of sharing that data with your application.

Be transparent about the data you access with clear and prominent privacy disclosures

You must publish a privacy policy that fully documents how your applicationinteracts with user data. You must list the privacy policy URL in your OAuthclient configuration when your application is made available to the public.

Your Privacy Policy and all in-product privacy notifications should beaccurate, comprehensive, and easily accessible. Your privacy policy andin-product privacy notifications must thoroughly disclose the manner in whichyour application accesses, uses, stores, or shares Google user data. Your use ofGoogle user data must be limited to the practices explicitly disclosed in yourpublished privacy policy, but you should consider the use of additional in-product notifications to ensure that users understand how your application willhandle user data. If you change the way your application uses Google user data,you must notify users and prompt them to consent to an updated privacy policybefore you make use of Google user data in a new way or for a different purposethan originally disclosed.

Disclosures about data use should be prominent and timely. Yourprivacy policy and any in-product notifications regarding data use should beprominently displayed in your application interface so that users can find thisinformation easily. Where possible, disclosures about data use should be timelyand shown in context.

Request the minimum relevant permissions

Permission requests should make sense to users, and should be limited to thecritical information necessary to implement your application.

Don't request access to information that you don't need. Only requestaccess to the permissions necessary to implement your application's features orservices. If your application does not require access to specific permissions,then you must not request access to these permissions. Don't attempt to "futureproof" your access to user data by requesting access to information that mightbenefit services or features that have not yet been implemented.

Request permissions in context where possible. Only request access touser data in context (via incremental auth) whenever you can, so that usersunderstand why you need the data.

Deceptive or unauthorized use of Google API Services is prohibited

You are strictly prohibited from engaging in any activity that may deceive usersor Google about your use of Google API Services. This includes withoutlimitation the following requirements:

Do not misrepresent what data is collected or what you do with Google userdata. Be up front with users so that they can make an informed decision togrant authorization. You must disclose all user data that you access, use,store, delete, or share, as well as any actions you take on a user's behalf.

You are not permitted to access, aggregate, or analyze Google user data if thedata will be displayed, sold, or otherwise distributed to a third partyconducting surveillance.

Overall there should be no surprises for Google users: hidden features,services, or actions that are inconsistent with the marketed purpose of yourapplication may lead Google to suspend your ability to access Google APIServices.

Do not mislead Google about an application's operating environment.You must accurately represent the environment in which the authentication pageappears. For example, don't claim to be an Android application in the user agentheader if your application is running on iOS, or represent that yourapplication's authentication page is rendered in a desktop browser if insteadthe authentication page is rendered in an embedded web view.

Do not use undocumented APIs without express permission. Don'treverse engineer undocumented Google API Services or otherwise attempt to deriveor use the underlying source code of undocumented Google API Services. You mayonly access data from Google API Services according to the means stipulated inthe official documentation of that API Service, as provided on Google'sDeveloper Page.

Do not make false or misleading statements about any entities that haveallegedly authorized or managed your application. You must accuratelyrepresent the company, organization, or other authority that manages yourapplication. Making false representations about client credentials to Google orGoogle users is grounds for suspension.

Child-directed apps

The Children's Online Privacy Protection Act, orCOPPA, applies towebsites, apps, and services directed to children under the age of 13 andgeneral audience apps, websites, or services with users known to be under theage of 13. Whilechild-directed apps may use some Google services,developers are responsible for using these services according to theirobligations under the law. Please review the FTC's guidance on COPPA (includinginformation about the differences between mixed audience apps and apps directedprimarily to children from theFTC's website) and consult with yourown legal counsel.

Child-directed apps: If your application is directed primarily atchildren, it should not use Google Sign-In or any other Google API Service thataccesses data associated with a Google Account. This restriction includes GooglePlay Games Services and any other Google API Service using the OAuth technologyfor authentication and authorization.

Mixed audience apps: Applications that are mixed audience shouldn'trequire users to sign in to a Google Account, but can offer, for example, GoogleSign-In or Google Play Games Services as an optional feature. In these cases,users must be able to access the application in its entirety without signinginto a Google Account.

Maintain a secure operating environment

We expect all user data is secure in transit and at rest. Take reasonable andappropriate steps to protect all applications or systems that make use of GoogleAPI Service and any data derived from it against unauthorized or unlawfulaccess, use, destruction, loss, alteration, or disclosure.

Additional Requirements for Specific API Scopes

Certain Google OAuth API Scopes (the "Sensitive andRestricted Scopes") are subject to additional requirementsthat can be found in each product's User Data and Developer Policy or theGoogle Developer Page. More information about the requirements to obtain(or keep) access to these scopes is also available in theOAuth Application Verification FAQ.

Note: If your app is only used by users within your own domain, then theserequirements do not apply.Google Workspace can control access toconnected applicationsvia allowlisting. Learn moreaboutbest practices for managing your enterprise OAuthecosystem.

Unless stated otherwise in the product's User Data and Developer Policy,additional requirements include:

1. Appropriate Access: Developers may only request access to thescopes for a permitted Application Type described by the product. Suchapplication types can be found under an Appropriate Access heading in theproduct specific policy or the product'sGoogle Developer Page.

2. Limited Use: Your use of data obtained via the product'sspecified scopes must comply with the below requirements. These requirementsapply to the raw data obtained from the scopes and data aggregated,anonymized, or derived from them.

   1. Limit your use of data to providing or improving user-facing featuresthat are prominent in the requesting application's user interface;

   2. Transfers of data are not allowed, except:

      1. To provide or improve your appropriate access or user-facingfeatures that are visible and prominent in the requestingapplication's user interface and only with the user's consent;
      2. For security purposes (for example, investigating abuse);
      3. To comply with applicable laws; or,
      4. As part of a merger, acquisition, or sale of assets of the developerafter obtaining explicit prior consent from the user.

   3. Don't allow humans to read the data, unless:

      1. You first obtained the user's affirmative agreement to view specificmessages, files, or other data, with the limited exception of usecases approved by Google under additional terms applicable to theNest Device Access program;
      2. It is necessary for security purposes (for example, investigating abug or abuse);
      3. It is necessary to comply with applicable law; or
      4. The data (including derivations) is aggregated and used for internaloperations in accordance with applicable privacy and otherjurisdictional legal requirements.

   All other transfers, uses, or sales of user data are prohibited, including:

   1. Transferring or selling user data to third parties like advertisingplatforms, data brokers, or any information resellers.
   2. Transferring, selling, or using user data for serving ads, includingretargeting, personalized or interest-based advertising.
   3. Transferring, selling, or using user data to determine credit-worthinessor for lending purposes.

   You must ensure that your employees, agents, contractors, and successorscomply with this Google API Services User Data Policy.

3. Secure Data Handling: Applications accessing the productspecified scopes (the "Sensitive andRestricted Scopes") must demonstrate that they adhere to certainsecurity practices. Depending on the API being accessed and number of usergrants or users, applications must pass an annual security assessment andobtain a Letter of Assessment from a Google-designated third party. Moreinformation about the assessment requirements to obtain or keep access tothe scopes is also available in theOAuth Application Verification FAQ and the product'sGoogle Developer Page.

Enforcement

You must access Google API Services in accordance with theGoogle APIs Terms ofService. If you are found to be out of compliance with theGoogle APIsTerms of Service, this Google API Services: User Data Policy, or anyGoogle product policies that are applicable to the Google API Service you areusing, Google may revoke or suspend your access to Google API Services and otherGoogle products and services if you are found in violation of other productpolicies, terms of service, or other guidelines. Your access to Google APIServices may also be revoked if your application enables end-users or otherparties to violate the Google APIs Terms of Service and/or Google policies.